Highlighted
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..
1072 views

Extract data from $message using a local variable

Jump to solution

Good morning Protect!

     Lets try this again, I feel like i'm making progress with this, I just can't get the final piece. I currently have this: asdfsafsaf.png

I have an action to set event field device custom string 4 to $output and when the rule fires my correlated event just has $output in device custom string 4.  Why isn't this working?  this particular event $message is a unix log and has 30+ digits and I just want the username.

Labels (2)
0 Likes
1 Solution

Accepted Solutions
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

It may also be possible to do this:

$message.replaceAll('.*user: ([^\s]+).*','$1')

But I'm not entirely sure if that would work. That just adds a ".*" saying everything before "user:", but that part might match on "user:" as well and not produce anything. Worth a try if you don't see an easy fix for the regex.

0 Likes
23 Replies
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Extract data from $message using a local variable

Jump to solution

bump

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Hi Charles,

I have a quick question for you. Are you aggregating your message field up from the base event? Does your correlated rule fire show the correct message?

0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Extract data from $message using a local variable

Jump to solution

I am, i do receive the correct event.message in the correlated event.  I'm aggregating on identical event.name event.message and device custom string 4

0 Likes
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: Extract data from $message using a local variable

Jump to solution

Hi Charles,

I don't believe you need to assign $message to $string since you can directly say :

evaluate_velocity_template($message.replaceAll('user:......

As far as you regex is concerned, I can't validate it without knowing the content it's trying to evaluate. One thing is for sure, if you're getting $output as a value then the evaluate_velocity_template function did not produced anything valid.

If you haven't validated your regex I would advise to do so with a site like http://www.regex101.com

Regards,

Michel Beaudry

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

That is correct, you can simply use $message in the place of $string. Instead of having your replace condition in a variable, try using it in your event field directly. Right now you have $output in your device custom string 4 field, change that to:

$message.replaceAll('user:([^:]+),*','$1')

As Michel said, we won't be able to validate your output since we don't have the same thing to check, but assuming your regex is correct that should produce what you want it to.

0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Extract data from $message using a local variable

Jump to solution

This is me just trying to learn how to extract a string the message in question

: Authentication <failure> for <Active Directory> user: <usernname> account: <domain\username> service: <service> reason: <>

let me  clarify something,

am I supposed to create a variable calling $message.replaceAll or am I supposed to set an action where dcs4=$message.replaceAll(regex)

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Set the action to dcs4=$message.replaceAll(regex)

That should at least change the output in the dsc4 field. If it's not correct then but it's no longer just the variable string, then you will know that your regex isn't working correctly and you'll be able to fix it from there.

Based on the regex you provided earlier you are looking to start your replace on the "space" after the "user:" and end on the ":" after "account". If that's not going to be what you want I would recommend adding a space in your regex to both the start and end of the replace expression. Below is an example:

dcs4=$message.replaceAll('user: ([^\s]+) account','$1')

I have no way of confirming if this works or not at the moment since I don't have any events that look like that, but hopefully that spurs some ideas if your original doesn't work.

0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Extract data from $message using a local variable

Jump to solution

asdfsadfsadf.png

I've removed the local variable and put that directly into the action set event field for dcs4 this is what happens. I noticed I had an extra ' in there and removed that but it still produces the same.

0 Likes
Respected Contributor.. david.bergeron@ Respected Contributor..
Respected Contributor..

Re: Extract data from $message using a local variable

Jump to solution

Hello

I may be wrong but you should be able to find the problem with your velocity variable in the arcsight/manager/velocity.log.

Did you take a look ?

Regards

David

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Can you try putting this in the dcs4 field: $message.replaceAll('user: ([^\s]+).*','$1')

This appears to be working just fine on my end. When you try that can you also provide a screenshot of your action field to verify that it looks correct as well?

0 Likes
Trusted Contributor.. cdcarlis@southe Trusted Contributor..
Trusted Contributor..

Re: Extract data from $message using a local variable

Jump to solution

Okay so a little bit of progress, the string is working on the action.  I may have not been waiting long enough for the rule engine to apply the change I made.  However i will show you the string before and after variable is applied

Authentication <failure> for <Active Directory> user: <usernname> account: <domain\username> service: <service> reason: <>

Authentication <failure> for <Active Directory>  <usernname>  <domain\username> service: <service> reason: <>

its just stripping "User:" and "Account:" when I actually want what follows user, and i dont care about account...However this is just a regex problem and I'll just need to research more and figure out how to extract what i need

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Great! Give the regex I provided you above a try and see what it does for you. I can walk you through what it's doing if you need.

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Sorry, I just realized you have things before "user:". So here's a modified version of the regex that I think should work.

$message.replaceAll('Authentication [^\s]+ for [^\s]+ user: ([^\s]+).*','$1')

0 Likes
joshua.zganjar Absent Member.
Absent Member.

Re: Extract data from $message using a local variable

Jump to solution

Sometimes the rules engine can take up to 5 minutes to apply a change I've noticed. If possible I would recommend creating a channel that's very small and has the events you want in it and use that to test your rule. It'll be much faster.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.